Computer networks are often plagued by malware such as worms that use the resources of network processing devices without the knowledge and permission of the owner. Worms are computer programs that self-replicate by sending network packets to unguarded elements of the network. This type of malware is often used for identity theft and financial fraud, and thus poses a threat to users of the Internet and to businesses that have an online presence. Fast spreading “flash worms” are particularly troublesome, and worms like Code Red and Nimda have caused major congestions in the internet as well as shutting down the entire network of many enterprises. Different approaches currently exist for identifying and preventing further spread of such malware, including signature-based methods, traffic anomaly methods, and so-called honey-spot techniques. Signature-based techniques are largely ineffective since it takes time to write a signature and test it, and it is very easy for worms to change signatures to avoid detection and remedial action. Moreover, this approach requires the costly and tedious task of keeping anti-virus software up to date, whereby these methods are largely ineffective against flash worms. The incorporated copending U.S. patent application Ser. No. 11/656,434, filed Jan. 23, 2007 by Chow et al. is directed to detection of fast scanning worms in a conventional network switch having a single host computer connected to a dedicated switch port, and accordingly does not need to perform anti-spoofing since suspected worms are associated with a physical port. Wireless LANs are becoming more and more prevalent, however, in which portable computers and other wireless clients gain access to the network via shared localized access points, which are connected to the switch port. As there are potentially many clients associated with a given switch port, this solution is not suited for wireless networks, as the detection is unable to resolve the identity of a particular client device, and instead only identifies the access point (port) as infected. Other conventional traffic anomaly solutions can provide quick detection capabilities, but require complex processing that cannot be done at the fast data-path, and instead are primarily implemented in stand-alone switches that incorporate the worm detection function. Therefore, a need remains for improved methods and systems for malware detection to identify local clients served by WiFi and other networks that are suspected of being infected with malware without requiring dedicated switches or servers for malware detection.